Access denied: access to data and the importance of clear audit rights

Data is king for many organisations and data sharing is currently a hot topic in the public sector. All public sector bodies will hold data and collect and share certain data with third parties. A recent case (118 Data Resource Ltd v IDS Data Services Ltd and others [2014] EWHC 3629 (Ch)) highlights the challenges in relation to the auditing of data shared under a licence or other commercial agreement, such as an outsourcing agreement. Parties must ensure that any rights of audit, and the purposes for which those audit rights may be exercised, are unambiguous and not unreasonably wide in order to be properly enforceable.

Facts
118 entered into an agreement with a competitor firm, IDS. The Agreement enabled IDS to use 118’s database of contact details for the purposes of checking and verifying IDS’s own data, in return for a substantial fee. 118 became concerned that IDS was misusing the data. In particular, 118 suspected that IDS had granted a sublicence to third party rival firm in breach of the terms of the Agreement. The Agreement contained a widely drafted "audit clause" which allowed 118 to enter any IDS premises where copies of the database were held for inspection and auditing purposes. 118 applied for specific performance of this clause, seeking to enter IDS’s premises to audit commercially sensitive information.

The issues
It was recognised that there was an obvious tension to be addressed between 118’s desire to ensure that IDS as its business rival did not exceed the terms of the limited licence and IDS’s interest in ensuring that 118 did not have unrestricted access to its knowhow in the course of policing the Agreement. The judge looked at the Agreement as a whole before turning to address the following issues:

Who conducts the audit?
Firstly, the Agreement allowed "any duly authorised representative" of 118 to access IDS’s premises. In determining who this included, the Court implied an obligation on 118 to act reasonably. However, there was nothing to prevent 118’s employees conducting the audit themselves, despite the fact that they might learn something to 118’s commercial advantage.

Which premises is access to be given to?
The Agreement allowed access to any premises where the database was being used. However, the Court held that this only extended to IDS’s principal place of business. The Court sought to prevent 118 having a carte blanche to search for anything at all on any premises. Accordingly, the premises to be searched must be linked to the purpose for which the audit is to be conducted.

What is the purpose of the audit?
The audit clause allowed 118 to access IDS’s premises for the broad purpose of "ascertaining whether the provisions of the Agreement are being complied with". 118 sought to audit whether IDS were complying with the restrictions on sublicensing under the Agreement. The Court was satisfied that 118 had limited rights to access IDS’s premises for the limited purpose of policing the use of the database. However, the audit clause must be read in light of 118’s other restricted right under the Agreement to vet the standard terms of sublicences which excluded the commercially sensitive terms of such sublicences. 118’s audit rights were held to be similarly restricted. The Court also held that the Agreement did not contain a sufficient mechanism to regulate what 118 was entitled to do once it gained access to IDS’s premises.

Comment
The Court in this case was influenced by a desire not to allow either party to have access to more sensitive information about the other party than was properly contemplated by the Agreement, as well as various other case-specific circumstances. However, the judgement serves to highlight that parties should be explicit about the scope of any access for audit provisions. An audit clause which is unreasonably wide runs the risk of being found to be unenforceable. This is particularly important in the context of outsourcing agreements which normally contain fairly broad audit rights as a means of regulatory compliance. Careful drafting of such clauses is clearly required to ensure that parties can enforce audit rights in the way in which they intend and equally that commercially sensitive information is not at risk of being disclosed.

Although an English case, the judgement will be persuasive in Scotland. In light of this, it is worthwhile including the following provisions in any audit clause:

• the purposes for which access is to be provided. Audit requests should be limited to the extent reasonably necessary to allow a specified objective to be achieved. Any specific points of compliance which the parties wish to audit should be expressly narrated;
• precision regarding the premises to which access is to be given and whether this extends to more than one business premises or archive sites;
• an exclusion for commercially sensitive information to be disclosed;
• clarity as to who is to be given access. It may be appropriate to limit this to independent, non-competitor third parties if there is a risk that commercially sensitive information will be accessed during the audit; and
• a mechanism to apply if access is exercised e.g. compliance with the terms of an applicable security policy, monitoring of the audit process and/or appointment of an independent accountant or another to review the information and feedback only that which is relevant to the party exercising its audit rights.